Information Systems and Network Security

Stefano Leucci
Academic Year 2024/2025

Schedule

• Tuesday 16:30 - 18:30. Room C1.16.
• Thursday 11:30 - 13:30. Room C1.16

Office hours: Thursday 16:30 - 18:30. Please send me an email or ask before/after the lectures.

Lectures and Material

Lecture 1: Introduction

Basic information about the course: schedule, prerequisites, course program, textbooks, and exams.

Modelling communication through an insecure channel. The Confidentiality, Authentication, and Integrity properties.

An overview of some advanced applications of cryptography (informal): Secret Sharing (t-out-of-n threshold secret-sharing schemes), secure multiparty computation, zero knowledge protocols.

Types of cryptography, the private-key (symmetric) and the public-key (asymmetric) settings. Formal definition of a private-key encryption scheme. Security through obscurity and Kerckhoffs’ principle.

Material

• Sections 1.1 and 1.2 of [KL].
• Slides of the lecture.

Lectures 2 and 3: Historic Ciphers

Caesar cipher and shift ciphers: encrypting and decrypting messages, formal definition and correctness of the encryption scheme. Breaking shift ciphers: bruteforce attacks. The sufficient key-space principle.

Monoalphabetic substitution ciphers: encrypting and decrypting messages. Security: the sufficient key-space principle not a sufficient condition for security, breaking the cipher once a small part of the plaintext is known, guessing the initial part of the plaintext with frequency analysis.

The Vigenère cipher: encrypting and decrypting messages, the tabula recta. Security: splitting the ciphertext into multiple ciphertext with the same shift, recovering the key length (bruteforce, Kasiski’s method, the index of coincidence method), recovering the plaintext by breaking the shift ciphers.

The scytale cipher: encrypting, decrypting, and breaking the cypher using a tapering cone. The scytale cipher as a special type of transposition cipher.
Regular and irregular columnar transposition ciphers, double (irregular) transposition ciphers. Weaknesses of transposition ciphers.

Material

• A discussion of the Ceasar cipher, the shift cipher, and the Vigenère cipher can be found in Section 1.3 of [KL].
• Slides of the lecture.
• Two challenge ciphertexts. Can you decrypt them and recover the corresponding key? first ciphertext, second ciphertext.
• A Jupyter notebook demonstrating how to break shift and Vigenère ciphers.

Lecture 4: Defining Security, Perfect Secrecy

Ingredients of a security definition: security guarantee and threat model. Common threat models (Ciphertext-only attacks, Known-plaintext attacks, Chosen-plaintext attacks, Chosen-ciphertext attacks) and real-word scenarios in which these attacks can be carried out.

Security Guarantees: several informal attempts at a good definition and counterexamples, Shannon's treatment and his definition of Perfect secrecy, an alternative definition of perfect secrecy (with proof of equivalence). Proving that shift ciphers are not perfectly secret (using both definitions). A third definition based on a perfect indistinguishability experiment. Equivalence of the three definitions (with proof). Proving that the Vigenère cipher is not perfectly indistinguishable.

Material

• Sections 1.4.1 and 2.1 of [KL].
• Slides of the lecture.

Lecture 5: The Vernam Cipher (One-time Pad)

The Vernam cipher (or one-time pad, OTP): formal definition, proof of correctness, proof of security using the alternative definition of perfect secrecy.

Caveats and limitation of OTP: sharing and storing long keys, generating random bits, reusing the key leaks the XOR of the plaintexts. Attacks based on the malleability of OTP.

Necessary and sufficient conditions for perfectly secret private-key encryption schemes: the key-space must be at least as large as the message space (with proof and corollaries); two attacks on schemes with less keys than messages; Shannon's theorem. Proof of security of OTP using Shannon's theorem.

Material

• Sections 2.3, 2.3, and 2.4 of [KL].
• A proof of Shannon's theorem along with the stronger version discussed in class can also be found in Section 1.3.4 of [PS].
• Slides of the lecture.

Lecture 6: Computational Secrecy and Pseudorandom Generators

The notion of computational secrecy. Relaxing perfect indistinguishability by (i) considering only efficient adversaries; and (ii) allowing secrecy to fail with small probabilities.

The concrete definition of computational secrecy: (t, epsilon)-indistinguishability. Problems with the concrete definition, and the asymptotic approach. Polynomially bounded functions and negligible functions.

Redefining private-key encryption schemes to account for the security parameter. Redefining the adversarial indistinguishability experiment to account for the security parameter and polynomial-time adversaries. Formal definition of computational indistinguishability. The indistinguishability experiment does not protect against leaking the length of the message: discussion and implications for security.

Pseudorandom Generators (PRGs): intuitive definition, existence, and the relation with the P vs NP problem. Formal definition of PRG. Statistical tests. Non-efficient statistical tests can always distinguish the output of a PRG from true randomness with a non-negligible probability gap. Applications of PRGs: replacing random bits in randomized algorithms and derandomization.

Material

• Sections 3.1, 3.2.1, and 3.3.1 of [KL].
• Slides of the lecture.

References

• [KL]: Jonathan Katz, Yehuda Lindell. Introduction to Modern Cryptography, 3rd edition. CRC Press. ISBN: 978-0815354369.
• [S]: Nigel P. Smart. Cryptography Made Simple. Springer. ISBN: 978-3319219356.
• [G]: Oded Goldreich. Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press. ISBN: 978-0521035361.
• [PS]: Rafael Pass and Abhi Shelat. A Course in Cryptography (3rd ed.)